InfoSec Handlers Diary Blog

We received some reports of various companies (http://www.intego.com/news/ism0705.asp) reporting about a Mac DNS changer Trojan in the wild. As I happened to receive a sample of it, I decided to analyze it quickly.

The whole Trojan is relatively simple and works almost exactly the same as its brother for Windows operating systems . In case of execution, the Trojan changes the DNS settings on the machine and reports back to the C&C server.

While the Trojan is relatively simple and not a big threat, two things came to my mind immediately: the bad guys are taking Mac now seriously – this is a professional attempt at attacking Mac systems (and they could have been much more damaging really). The second thing that folks at Sunbelt noticed (http://sunbeltblog.blogspot.com/2007/10/screenshot-of-new-mac-trojan.html) is that when they sent a sample to VirusTotal there were 0 (zero, nada, nilch) products that detected this.

So, let’s see what really happens here. The “social engineering” part has been seen million times – an unsuspecting user visits a web site with a movie on it, however, he needs to download a new codec in order to view it. On Windows, that new codec is typically a PE executable, for Mac the bad guys prepared a DMG archive (DMG files are like ISOs). The user is then prompted to install the package and during this process he will have to supply the administrator credentials. Yep, it’s game over from this point in time (and the attack is exactly the same as on Windows – keep in mind that these users *will* willingly supply these credentials.

Now that we know what happens, let’s see how this whole thing works. I analyzed this on a Linux machine so I first had to convert the DMG file into something Linux can read (an ISO). There is a simple dmg2img utility available from http://vu1tur.eu.org/tools/ that does the job perfectly.

Once you converted the file to an ISO image, you can mount it and see what’s going on. The most important directory is Resources which contains scripts that are executed before and after the installation. The files that get installed are kept in the Archive.pax.gz file – it’s a gzip compressed cpio file.

The preinstall/preupgrade files from the Resources directory get executed immediately after the installation starts (and they do the main job). These two files are just shell scripts which change the DNS server settings on the machine by using the scutil utility. Here’s what they set the DNS servers to:

#!/bin/bash

s1=85.255.116.71
s2=85.255.112.63

path="/Library/Internet Plug-Ins"

(Yes, the IP addresses are familiar). The scripts also create a new cronjob that gets executed every minute. The cron job executes a file called plugins.settings, which is just a copy of the preinstall/preupgrade files – it makes sure that the DNS servers stay as those above and that the cronjob is not removed.

Finally, the postinstall/postupgrade scripts execute a Perl script called sendreq. This Perl script collects some information about the local machine (uname –p and hostname), Base64 encodes them and sends the information to the C&C server (85.255.121.37). An interesting thing is that this gets submitted as the Accept-Language: header so it should be easy to write a Snort signature to catch this.

As I said, although the Trojan is really simple, it could have done much worst things (once the installer script has root privileges, it is game over anyway). This malware shows that we must not ignore Mac machines and that Mac users should not think they are invulnerable just by using a Mac and that they can click on absolutely everything.

From the network point of view – pay attention to DNS traffic as any requests that leave your network, and are not from your DNS servers are either coming from infected or misconfigured machines.

UPDATE

Matt Jonkman at Bleedingthreats.net released a Snort signature that will detect infected Mac machines reporting to the C&C server by checking the Accepted-Language header. I’m pasting the signature below: